This alert has been written for the IT teams of organisations and government. Entities are strongly encouraged to take immediate action to ensure affected devices are patched and investigate for potential compromise.
Background / What has happened?
- ASD’s ACSC is aware of activity impacting Cisco ASA devices in Australia. Together with our international partners, we have released Cyber Activity Impacting Cisco ASA VPNs.
- ASD’s ACSC can confirm that some Cisco ASA devices in Australia have been compromised.
- A Talos blog provides details of this activity
- Cisco has released two new CVEs relating to the ASA device compromises:
- CVE-2024-20353 which applies to management and VPN web servers for Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software and could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly resulting in denial of service (DOS)
- CVE-2024-20359 which applies to a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco ASA Software and Firepower Threat Defense (FTD) Software and could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) with root-level privileges.
- Cisco has also released a third CVE known to impact ASA devices:
- CVE- 2024-20358 which applies to Cisco ASA restore functionality available in Cisco ASA Software and Firepower Threat Defense (FTD) Software and could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) with root-level privileges.
Mitigation / How do I stay secure?
Australian organisations who have a Cisco ASA device should:
- Follow available patching advice
- Discontinue use of unsupported device models and software
- Mitigate malicious activity associated with these vulnerabilities, read malware analysis reports Line Dancer & Line Runner to help network defenders detect.
- Further mitigation advice can found at the vendor notification at Cisco Event Response: Attacks Against Cisco Firewall Platforms
Assistance / Where can I go for help?
The ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371)